Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tdmY2LWh3eGgtN3Y3Ns4AA6Eg
Information leakage in YAQL
YAQL before 3.0.0 is used in Murano, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.
Permalink: https://github.com/advisories/GHSA-mvf6-hwxh-7v76JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tdmY2LWh3eGgtN3Y3Ns4AA6Eg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 8 months ago
Identifiers: GHSA-mvf6-hwxh-7v76, CVE-2024-29156
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-29156
- https://launchpad.net/bugs/2048114
- https://opendev.org/openstack/murano/tags
- https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3
- https://wiki.openstack.org/wiki/OSSN/OSSN-0093
- https://bugs.launchpad.net/murano/+bug/2048114
- https://github.com/advisories/GHSA-mvf6-hwxh-7v76
Affected Packages
pypi:yaql
Dependent packages: 10Dependent repositories: 82
Downloads: 138,589 last month
Affected Version Ranges: < 3.0.0
Fixed in: 3.0.0
All affected versions: 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 2.0.0, 2.0.1
All unaffected versions: 3.0.0